CVE-2020-14363

NameCVE-2020-14363
DescriptionAn integer overflow vulnerability leading to a double-free was found in libX11. This flaw allows a local privileged attacker to cause an application compiled with libX11 to crash, or in some cases, result in arbitrary code execution. The highest threat from this flaw is to confidentiality, integrity as well as system availability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2361-1, ELA-275-1
Debian Bugs969008

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libx11 (PTS)jessie, jessie (lts)2:1.6.2-3+deb8u7fixed
stretch (security)2:1.6.4-3+deb9u4fixed
stretch (lts), stretch2:1.6.4-3+deb9u6fixed
buster (security), buster, buster (lts)2:1.6.7-1+deb10u4fixed
bullseye (security), bullseye2:1.7.2-1+deb11u2fixed
bookworm (security), bookworm2:1.8.4-2+deb12u2fixed
sid, trixie2:1.8.10-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libx11sourcejessie2:1.6.2-3+deb8u4ELA-275-1
libx11sourcestretch2:1.6.4-3+deb9u3DLA-2361-1
libx11sourcebuster2:1.6.7-1+deb10u1
libx11source(unstable)2:1.6.12-1969008

Notes

https://lists.x.org/archives/xorg-announce/2020-August/003056.html
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/acdaaadcb3d85c61fd43669fc5dddf0f8c3f911d

Search for package or bug name: Reporting problems